Overview

overview

10

Static

static

10

Document.doc.scr.exe

windows7-x64

9

Document.doc.scr.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document.doc.scr.exe

  • Size

    194KB

  • MD5

    6fd558cf3add096970e15d1e62ca1957

  • SHA1

    78e95fabcfe8ef7bb6419f8456deccc3d5fa4c23

  • SHA256

    41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898

  • SHA512

    fac7efe9b76f9b6a917f8751f5be64ad8e067e5404fe05f3e9d7781ea3661a06c0baaac676a6023eb4a0b7f01bc2bb2d64d572f85aec8ad8de35cc7f106e1fdc

  • SSDEEP

    3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (306) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.doc.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\Document.doc.scr.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\ProgramData\9B27.tmp
      "C:\ProgramData\9B27.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9B27.tmp >> NUL
        3⤵
          PID:800
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x154
      1⤵
        PID:1624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\BBBBBBBBBBB
        Filesize

        129B

        MD5

        7638c9247fc08456cae1f16d01431c8b

        SHA1

        ae2eb15ed31742d1cd40664fb3d04f5fe40fbe40

        SHA256

        f60517cf64f5a54ba1590771504aaa58989df55b7aec7d8e8f35e3b0f679200c

        SHA512

        da1be5c4432adb0d5b6a7caf11bd09f2734698ed7ddf00b1a27fa776ead016eefb89d7fc107def44377b97101cdf4702c6f5d0374fe93db12001586aaa83b6fb

        Download Submit

      • C:\AAtvmKv4L.README.txt
        Filesize

        434B

        MD5

        b4709a56b9d7f431da172316cda720be

        SHA1

        d2132f7129a7003ec4c0392f0f08cd24ea353da6

        SHA256

        192d1e6078570865531e8a4c9840a483c4a2ac35fe468107284991f6da813191

        SHA512

        e390d51e95db5e56c666a2895dc87dab41d97e7ce3c0df1f2466abf14a651167232521ab5f52746d16bab0ef14e6c0ee9dcfe29894604d695b0d064909378227

        Download Submit

      • C:\ProgramData\9B27.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDD
        Filesize

        194KB

        MD5

        6cb4e2e35e2a7f037cfa3625dab91624

        SHA1

        7fe7b15c6f8ac725ef89498d3d5b4f7cb6ff4078

        SHA256

        6985adf57fd2a777b8df16d6dedc1b6bb5965b649a07d9dff72ac13c9bdf699a

        SHA512

        90e5d81bd5f966e8aae4798fd46b3c24c4611f7ed49e0093d629aa5b8b23917e56a96a1262b260a6a660c215515d250b8ef5dffab7554660ae41a917f8c93c1d

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\OOOOOOOOOOO
        Filesize

        129B

        MD5

        a46d87160ec7a6a401e65333e8223895

        SHA1

        bfe536dc997c1f5f1bb704d809d69102582e0889

        SHA256

        b2e0626275ceb2e365326f290eaea40be6db2661e8e0a1a47e11c3e39eb6617b

        SHA512

        9bd94ecceb17d0819168bdb170c630315f3376962699fe131a8fb1a9a0db4cc7f30b240853d4788d9d0ae870d6f0e8619da3257fedc4013c86cd95d761dd3a07

        Download Submit

      • memory/1832-824-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1832-853-0x0000000002480000-0x00000000024C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1832-854-0x0000000002480000-0x00000000024C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2812-0-0x0000000000830000-0x0000000000870000-memory.dmp

        Filesize

        256KB

        Download